Updates Google Chrome disables insecure form warnings after complaints

silversurfer

Level 72
Verified
Trusted
Content Creator
Malware Hunter
Aug 17, 2014
6,130
Google has disabled a feature that displays a warning when submitting insecure forms after receiving many complaints from users and website administrators.

Google has been focusing on removing mixed-content in Google Chrome, when a secure page (HTTPS) loads content from an insecure (HTTP) URL. As part of this initiative, Google rolled out a new feature in Chrome 86 that warns users when submitting insecure forms from a secure (HTTPS) page to an insecure (HTTP) URL.

Submitting an insecure form would display a warning about the risks of doing so and asks the user if they wish to continue submitting the information.

Insecure form warning

Insecure form warning

With the release of Chrome 87, this new feature went live for everyone, and many website administrators began reporting problems in a Chromium bug report.

The problem is that Google Chrome would show the insecure form warning even if the form submissions were secure, but the user was redirected to an HTTP URL after submitting the form.

For example, a form submission flow of HTTPS Form > HTTPS URL > Redirect to HTTP URL would generate a warning in Chrome, even though the form was submitted securely. These warnings would then break the redirect chain websites use after submitting a form or logging into the site.

Chrome users say that this is a bug as the form submissions are secure, and only the redirect went to an HTTP URL.
On December 15th, Google software engineer Carlos Joan Rafael Ibarra Lopez stated that they are disabling the feature in Chrome 87 to adjust it, so HTTP redirects after a secure form submission do not generate a warning.

"After considering the unexpectedly large impact this change had on form submissions that involve redirects through HTTP sites, we have decided to roll back the change for Chrome 87. We expect the configuration to be out later today, at which point it will take effect on the next Chrome restart. I'll ping this bug with updates.

We are planning to re-enable the warnings in Chrome 88 (tentatively going to stable on January 19, 2021), but warning only on forms that directly submit to http://, or that redirect to http:// with the form data preserved through the redirect, so it won't trigger for the cases mentioned in this bug where the http:// hop didn't carry the form data.

That being said, I still encourage sites to keep https:// throughout the whole redirect chain, as http:// steps still compromise user privacy (by exposing the form target location) even if no form data is being exposed.

Apologies for the issues caused by this new warning."
 
Top